Channels

Services

EU to compel banks to admit "serious" data breaches

Speaking in London, Viviane Reding, the EU Justice Commissioner and Vice-President of the European Commission, has outlined plans to force companies to admit to breaches of data security. In her speech to the Data Protection and Privacy Conference of the British Bankers' Association, Reding said: "I intend to introduce a mandatory requirement to notify data security breaches – the same as I did for telecoms and internet access when I was Telecoms Commissioner, but this time for all sectors, including banking and financial services."

She noted that the current EU data protection rules date back to 1995, and, although they had served their purpose well, data protection legislation needs to be brought up to date. In particular, referring to the banking sector, she said that the rules and regulations for data protection varied considerably between the different countries of the EU, and that too much red tape – with its inherent cost implications – was involved for companies trying to comply with the regulations. Her intention is to ensure the situation is reformed, bringing consistent legislation across the EU.

This should simplify the situation for businesses, but, in return, she expects businesses "to do their share to ensure safe and transparent digital products and services". She considers that it is "entirely proportionate" that banks should have an obligation to notify their customers of any "serious" data security breach. She did not define what might entail a "serious" breach of data security.

Banks are notoriously reluctant to reveal any hacking attacks against their systems, because they consider that it might damage customers' confidence in their systems. Reding takes the opposite view, and believes that making banks admit when they have suffered data losses will force them to improve their systems which will improve confidence.

The proposals for revising the EU data protection laws will be finalised over "the coming months".